Security - Systems • Design Considerations
Layer 2 Design • L2 Control protocols - 802.1q, STP and ARP • 802.1q • for Ethernet switches to exchange VLAN info • Primary Issues: VLAN hopping • Spanning Tree Protocol • for L2 loop avoidance • Primary Issues: No authentication on bridge PDUs • Attacks: Cause link failure; pretend to be root of tree. • Defense: Control participation in STP (switch level)
Layer 2 Design • ARP • for MAC <-- IP mapping • Primary Issues: gARP messages for high availability • Defense: VLANs, static ARP entries • DHCP • for IP allocation • Issues: MAC Spoofing, rogue DHCP server • allow/deny for specific ports to respond to DHCP requests
Layer 2 Design • Wireless Networks – Medium Access • Boundary is diffused (not hard) • Intruders do not have to intercept wires – all messages are broadcast (in a shared medium) • Unauthenticated access modes may cause problems • Contention resolution – Fairness issues • Easy to limit / eliminate availability
IP Addressing Design • Subnetting • Administrative / Physical separation • Primary Issues: Access Control • Defense: VLANs, Level 3 ACLs (Access Control Lists)
Ingress / Egress Filtering • Private address traffic not seen outside. • Incoming traffic only from outside world • Filtering at edge or close to edge - not necessarily only at the firewall.
NAT • Private addresses translated to public addresses • Incoming traffic - reverse translation • static, 1-1, many-1 • avoid using NAT (many-1) for security
ICMP Design Issues • ping messages • essential for admin. - turning off is not a solution except in specific cases. • Primary issue - Echo request/reply messages - variable length data field • ping-of-death attacks, DoS attacks, buffer overflows • covert channels (w/ software on host) • Solutions: “Explicitly permit - implicitly deny” • Permit ICMP echo request/reply messages w/ networks of necessity and for required users • Deny all other echo messages
ICMP - Design Issues • Other required ICMP messages • (some types of ) Destination Unreachable messages • TTL 0 messages needed by traceroute • lCMP filtering • ACLs for permitting specific messages (seen above) and for denying all others
Routing - Issues • Possible attacks: • Traffic Redirection • Traffic sent to a black-hole • Router DoS (Denial of Service) - Attack on Availability • Routing protocol DoS • Unauthorized router prefix origination
Routing - Issues • Attack methods & possible solutions: • Configuration modification of routers • Secure routers - Device Hardening • Rogue Router Introduction • Add message authentication to routing protocol • Use ACLs to block routing protocol message types from unwanted networks • Spoofing / Modifying of routing messages • Message authentication; TCP seq. #s help; • Sending malformed or excess packets • DoS mitigation for excess; no easy soln. for malformed packets
Router - Device hardening • Disable Unneeded Services • No DNS lookup for router • no echo or fingering services • no bootp service (if not needed) • no source routing and directed broadcast • no ICMP redirects • Password Encryption • Authentication • Use hashed passwords • Use secure protocols (say SSH) for line access • Setup usernames and access controls
Routing Protocol - Message Auth. • Passwords with routing update messages • MD5 digest authentication with secret keying • Protocol Specific: • Avoid RIP v1. - has no auth. mechanism • OSPF (widely userd for interior gateways) - supports keyed MD5 • BGP (widely used for cross-domain routing) - supports keyed MD5 through TCP option
Routing - Issues • Asymmetric Routing & State-Aware Security • Asymetric traffic - different paths for request and return; per packet routing • Can happen at switches, over the Internet or at ISP. • Causes problems for state-aware security devices and mechanisms - Firewalls, IDS etc.
Routing - Issues • Asymmetric Routing - Solutions • Use Symmetric Routing • hard to do and impractical • Load balance per flow (rather than per packet) • cannot avoid request-return asymmetry. • Manipulate flows using NAT or routing • Use state-sharing security devices - e.g exchange info. bet. firewalls • significant traffic overhead • Use stateless security features - e.g. ACLs • works only for easy situations - simple traffic categorizations
Transport Protocol - Design Issues • Denial Of Service attacks • easy to launch and cannot be completely stopped. • network flooding (consume bw) vs. transport flooding (consume host resources) • Network Flooding • Detection: thru’ Network Intrusion Detection, routers and firewalls (i.e. their log data) • Stopping: often thru’ Service provider only; stops good as well as bad traffic
Transport Protocol - Design Issues • Stopping Network Flooding • Basic ACL: drop all traffic destined for an IP address; configure this throughout the ISP’s network. • Black Hole Filtering: Propagate static routes to divert traffic to a black hole. Faster than basic ACL approach; much less CPU impact. • Sinkhole Routing: Traffic diverted to a specific location so that it can be studied.
Transport Protocol - Design Issues • Trace Back (DoS) • Manual ACL trace back : create an ACL with broad permits that are made more specific as more information about attack is gained. • Backscatter Trace back : • combine black hole and sinkhole routing • black hole routing results in ICMP unreachable messages • use a chunk of unallocated IP addresses for internal routing within ISP to forward to a sinkhole. • Tracebacks are useless if the attacker is spoofing a legitimately allocated address.
Transport Protocol - Design Issues • DoS Mitigation • QoS techniques - • limit traffic by type (UDP 10 Mbps, ICMP 200Kbps etc.) ;use token system for traffic to limit it; • application specific filtering • (e.g. in ecommerce scenarios UDP traffic is needed) • use a distributed design • content delivery networks
Transport Protocol - Design Issues • (back to) Denial Of Service attacks • easy to launch and cannot be completely stopped. • network flooding (consume bw) vs. transport flooding (consume host resources) • Transport Flooding • TCP SYN flooding - use a SYN packet (part of a 3-way handshake) but never respond to the acknowledgment; TCP is connection oriented : connections kept open for a time; connection queues overflow;
Transport Protocol - Design Issues • SYN cookies • host specific method of mitigating SYN flooding attacks; • avoid storing SYN packets in queue; use challenge-response model for handshake. • TCP intercept • network-level protection for SYN floods • intercept connection requests at an intermediate node which transparently forwards TCP packets to server; SYN packets are acked ASAP; if client does not respond use a backoff protocol; (e.g PIX firewalls)